Chrome zero‑day patched

NVD’s entry for CVE‑2026‑5281 describes a use‑after‑free in the Dawn WebGPU implementation that affects Google Chrome versions prior to 146.0.7680.178 and shows the record was added on April 1, 2026. (nvd.nist.gov) The NVD/CISA metadata assigns an ADP/CVSS-derived severity of 8.8 to the Dawn use‑after‑free and lists a remediation due date of April 15, 2026 under Binding Operational Directive 22‑01. (nvd.nist.gov) Google issued an out‑of‑band Desktop update on April 1, 2026 and the Chrome release notes state Google is aware an exploit for CVE‑2026‑5281 exists in the wild. (chromereleases.googleblog.com) Technical details in the advisories note the bug allows an attacker who has compromised the renderer process to execute arbitrary code via a specially crafted HTML page, and vendors such as Vivaldi have already pushed fixes while Microsoft said it is preparing an Edge update. (nvd.nist.gov) Chrome Enterprise and Education documentation confirms admins can enforce auto‑update policies, schedule or require relaunch notifications, and manage browser versions centrally through the Google Admin console or Chrome Browser Cloud Management. (support.google.com) NVD’s KEV linkage and Chrome’s release cadence together make April 15, 2026 an operational prioritization deadline for organizations following CISA guidance; admins can use Group Policy, Intune/MDM or the Admin console to push MSI/MDM updates or force relaunch notifications to apply the patch. (nvd.nist.gov)